Trust-wide Biometric Data Usage Procedure
Athena Learning Trust Trust-wide Biometric Data Usage Procedure
Review
Reviewed on: 31st October 2022
Reviewed by: Board
Review Period: 3 years
Contents
- Application 3
- Approval and review 3
- Terminology 3
- Responsibilities 4
- Associated policies and procedures 4
- Introduction 5
- Purpose of Biometrics 5
- Consent and Withdrawal of Consent 5
- Storage of Biometric data 6
- Retention of Biometric data 6
PART A
- Application
This Athena Learning Trust Procedure applies to the Athena Learning Trust as a whole and to all the schools and service units in the Trust, in accordance with and pursuant to the Data Protection Policy of the Athena Learning Trust.
The Athena Learning Trust, including all the schools and services within the Trust, their Trustees, governors and staff, must abide by this Procedure.
This Procedure must be read in conjunction with the Athena Learning Trust Data Protection Policy; all the terms of the Athena Learning Trust Data Protection Policy apply to the interpretation and implementation of this Procedure; if there is any ambiguity or conflict the Athena Learning Trust Data Protection Policy must be followed.
In implementing this Procedure the Trust and its schools and staff, must take account of any advice or instruction given to them by the Athena Learning Trust Data Protection Officer, the Athena Learning Trust CEO or Board of Trustees.
If there is any question or doubt about the interpretation or implementation of this Procedure, the Athena Learning Trust Data Protection Officer or Athena Learning Trust CEO should be consulted.
- Approval and review:
Maintenance of this Procedure is the responsibility of the Athena Learning Trust CEO. This Procedure was approved by the Board of Trustees on: 30 October 2022. This Procedure is due for review by: May 2025.
- Terminology
The Trust means the Athena Learning Trust (Athena Learning Trust).
- School means a school within the Athena Learning Trust.
- Principal means the Principal or principal of the school.
- CEO means the chief executive officer of the Athena Learning Trust.
- Governing Body means the committee of the Board of Trustees to which Trustees have delegated appropriate powers and functions relating to the governance of the school.
- Athena Learning Trust Data Protection Officer means Judicium Consulting Ltd.
- School Data Protection Lead means the point of contact for data protection matters for staff, students and parents in the school.
References in this Procedure to a school in the Trust should also be read as the Trust Shared Service for services, functions and staff of the Trust that are not contained within a school budget and/or are not the responsibility of a Principal and/or Governing Body. With respect to the Trust Shared Service references in this Procedure to the responsibilities of the Principal and Governing Body should be read as the Athena Learning Trust CEO and the Trust Shared Services Committee respectively.
1.4 Responsibilities
For the purposes of data protection legislation, the Athena Learning Trust is the Data Controller, and can be contacted by writing to Athena Learning Trust, Dunheved House, Hurdon Rd, Launceston, PL15 9JR
The Athena Learning Trust Data Protection Officer is: Judicium Consulting Limited. Email: dataservices@judicium.com
Address: 72 Cannon Street, London, EC4N 6AE Telephone: 0203 326 9174
Lead Contact: Craig Stilwell
1.5 Associated policies and procedures
This Procedure is a constituent part of the Athena Learning Trust Data Protection Policy.
The following Trust policies and procedures are directly related to and complement this Athena Learning Trust Biometric Data Usage Procedure:
- Athena Learning Trust Safeguarding Policy and associated school policies and addendums.
- Athena Learning Trust ICT Policy.
PART B
- Introduction
Biometric data means personal information about an individual’s physical or behavioural characteristics that can be used to identify that person; this can include their fingerprints, facial shape, retina and iris patterns, and hand measurements.
The Athena Learning Trust recognises that biometrics systems can be privacy intrusive.
The Athena Learning Trust does not currently make use of facial recognition data.
All biometric data is considered to be special category data under the UK General Data Protection Regulation (UK GDPR). This means the data is more sensitive and requires more protection as this type of data could create more significant risks to a person’s fundamental rights and freedoms.
This Procedure complies with The Protection of Freedoms Act 2012 (sections 26 to 28), the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR) and the guidance produced by the Information Commissioner.
The purpose of this Procedure is to regulate the management, operation and use of biometric data across the Trust.
An automated biometric recognition system uses technology which measures an individual’s physical or behavioural characteristics by using equipment that operates ‘automatically’ (i.e. electronically). Information from the individual is automatically compared with biometric information stored in the system to see if there is a match in order to recognise or identify the individual.
‘Processing’ of biometric data includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including (but not limited to) disclosing it, deleting it, organising it or altering it.
As biometric data is special category data, in order to lawfully process this data, the Trust must have a legal basis for processing personal data and a separate explicit consent (which satisfies the fair processing conditions for personal data and special category data).
- Purpose of Biometric Data
The Athena Learning Trust collects and uses biometric data individuals in order to provide education and associated functions, including for the following purposes:
- To enable the efficient operation of school canteen provision.
- To enable the efficient operation of a school library.
- Consent and Withdrawal of Consent
In accordance with the Data Protection Policy, each school will notify staff, students and parents of how the school intends to use and process biometric data and seek their consent.
If a member of staff, student or parent objects to the processing of their biometric data, the school will not be permitted to use the biometric data and will provide reasonable alternatives which will allow the student or staff member to access the same facilities that they would have had access to had their biometric data been used.
Staff, students and parents can also object at a later stage to the use of their biometric data. This should be in writing or by email to the School Data Protection Lead, requesting that the school no longer uses the biometric data.
- Storage of Biometric Data
Biometric data will be kept securely and systems will be put in place to prevent any unauthorised or unlawful access/use in accordance with the Athena Learning Trust Data Protection Policy.
The biometric data will only be used for the purposes for which it was obtained and such data will not be unlawfully disclosed to third parties.
- Retention of Biometric Data
In accordance with the Athena Learning Trust Data Retention Procedure, biometric data will be stored by the school or by the Third-Party provider (as specified in the school or Trust Privacy Notice) for as long as consent is provided.
If consent has been withdrawn, or once a student or staff member leaves, the biometric data will be deleted from the system within 72 hours.